aws.hostedzone

Filters

query-logging-enabled

properties:
  state:
    type: boolean
  type:
    enum:
    - query-logging-enabled
required:
- type

shield-enabled

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Actions

set-query-logging

Enables query logging on a hosted zone.

By default this enables a log group per route53 domain, alternatively a log group name can be specified for a unified log across domains.

Note this only applicable to public route53 domains, and log groups must be created in us-east-1 region.

This action can optionally setup the resource permissions needed for route53 to log to cloud watch logs via set-permissions: true, else the cloud watch logs resource policy would need to be set separately.

Its recommended to use a separate custodian policy on the log groups to set the log retention period for the zone logs. See custodian schema aws.log-group.actions.set-retention

example

policies:
  - name: enablednsquerylogging
    resource: hostedzone
    region: us-east-1
    filters:
      - type: query-logging-enabled
        state: false
    actions:
      - type: set-query-logging
        state: true
properties:
  log-group:
    default: auto
    type: string
  log-group-prefix:
    default: /aws/route53
    type: string
  set-permissions:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-query-logging
required:
- type

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type